Maulana's personal blog
Main feedMath/PhysicsSoftware Development

Browsing in Nintendo Switch

12-Aug-2020

My main motivation is just because I saw a Quora Indonesian answer here: https://id.quora.com/Termasuk-kelompok-manakah-kamu-yang-mengakses-Quora-dari-ponsel-atau-yang-mengakses-Quora-dari-komputer

It’s in Indonesian. It basically asks, “Do you open Quora from smartphone or from a desktop”. I saw a funny answer by Yusuf Adrian where he says (joking of course) that he access Quora from his Xbox console. Then there is an answer by Brian Stevianus that he access Quora using his PS4.

Reading all this, of course I was tempted to do the next step… reading Quora from Nintendo Switch

But for Nintendo switch user, you will likely know that Switch doesn’t have browser app. Or at least it have, but it is hidden.

There is a little trick behind the scene that I didn’t describe there, to unlock (or rather hack) this functionality.

Where is the browser?

Of course Switch has a browser. It has news feeds. But the first time I realized that we can expose it’s browser is when I was traveling in a train station. I connected it to the public WiFi in the train station, then I got redirected to a captive portal and I can see the browser there.

Just a little bit of intro, a captive portal is a web page that is displayed in the device when it first accessed public WiFi. It typically open a login page where you need to register yourself first, or display some ads. If you go to a Starbucks or public place you are highly likely to see this page when you connect to it’s WiFi.

A captive portal works by hijacking your traffic. Typically DNS requests. Most device will access a certain address over the internet to check “internet connection availability”, and when it failed, it will say that you are not connected to the internet. Even if you are connected to the WiFi. The router does this by hiding the route of a few select address, so your device can’t find it. Thus, you need to go over their page to login first. Until then, finally the router lets you access the internet.

Why it has anything to do with Switch?

Well, our plan is pretty simple. We want to let switch be “hijacked” and display the captive portal. However instead of doing login, we will make a captive portal that let’s you access a search engine. Like Google. From Google we can access any web page that we want.

It is so simple even someone already create a public DNS for this: https://www.switchbru.com/dns/

Well, my article here will explain how that works as DIY exercise. Then, from following the article you will know why accessing non HTTPS address over public WiFi is extremely dangerous! If you are sane like me, you don’t want to do that at all.

What do we need?

For our demonstration we need (read, I used):

  • WiFi that your Nintendo Switch can connect to
  • Linux box that can connect to that said WiFi router. Can be using ethernet/LAN, as long as it is in the same network as your Switch (Nintendo Switch, not network switch)
  • Some docker skills for easier setup
  • Some HTML skills
  • Internet connections
  • Common sense

The DIY steps

Let’s divide it by a series of steps.

Set up a DNS resolver

Easiest way I can think of is to install dnsmasq in your Linux box. Even easier to clean up later, let’s use docker image.

For internal resolver I typically use this wonderful image: https://github.com/jpillora/docker-dnsmasq. Simply because it has a web interface!

Just follow the README to set it up.

I created dnsmasq.conf in ~/dnsmasq.conf With content:

#log all dns queries
log-queries
#use cloudflare as default nameservers, prefer 1^4
server=1.0.0.1
server=1.1.1.1
strict-order

That is the minimal config for our purpose here.

Next, run the container:

docker run \
	--name dnsmasq \
	-d \
	-p 53:53/udp \
	-p 5380:8080 \
	-v ~/dnsmasq.conf:/etc/dnsmasq.conf \
	--log-opt "max-size=100m" \
	-e "HTTP_USER=foo" \
	-e "HTTP_PASS=bar" \
	--restart always \
	jpillora/dnsmasq

Your container will be up with name dnsmasq. It will use standard port 53 for DNS resolver. Most importantly, it have a web interface at http://localhost:5380 that you can access with basic auth foo:bar (user foo, password bar).

Go on, view the web interface.

Let Nintendo Switch use your DNS… switch

I know, bad pun. For now, whenever I say switch that means Nintendo Switch… ok?

From Switch’s settings page. Go into internet > choose your WiFi. Then let it connect. After that do the same thing again, but now Change Settings > DNS Settings > Primary DNS.

Set your primary DNS to your PC’s IP Address. If you don’t know about it, check using ifconfig utility. In my case here, my IP Address is 192.168.100.6. So I will use that.

Click Save, then Connect to This Network.

Let the progress runs, then check your dnsmasq web log console.

You can see that your Switch is requesting IP Address of ctest.cdn.nintendo.net. This is the address that we need to hijack. From the dnsmasq config exactly in the left side, put extra route like this:

address=/ctest.cdn.nintendo.net/192.168.100.6

That means we want to tell that whenever ctest.cdn.nintendo.net was requested, give back IP address of your PC. Don’t forget to restart dnsmasq. There’s a button there to do that.

Now we want to serve something from your PC

Create a simple webpage for the captive portal

Our captive portal is not that complicated. It’s just a page with Google links in it. Or rather, since I am using DuckDuckGo. Let’s do that using DDG.

Create a new folder where you will put the index.html page. For now, I will assume you are using ~/captive_portal

mkdir -p ~/captive_portal
cd ~/captive_portal

You can put whatever fancy things in your index.html, but make sure it has a link to a search engine.

Sample of index.html

<a href="https://duckduckgo.com">DDG</a>

Now, we want to serve this file. Hopefully you have python3, or else, you can use your favorite webserver.

python3 -m http.server --bind 0.0.0.0 80
# Or, since we are going to use lower port 80, you might need to prepend with sudo
# sudo python3 -m http.server --bind 0.0.0.0 80

It will run if you don’t have any active web server in your PC. Open your new page in http://localhost . You should be able to see the link.

Reconnect your Switch to the captive portal

Using Switch’s connection settings, do the same thing as before and reconnect. However, now you will see this page:

A failed connection page, with a Next button (like what you have if you use public WiFi). Click Next. You will now see your created page.

You can play around to see how much functionality you can get. Go to http://html5test.com to find out.

Conclusions

You can see now it is pretty easy to hijack DNS requests with man-in-the-middle attack. All you have to do is to return a different IP address for a domain requests and the user in public WiFi won’t be able to tell a difference if the site is not https.

Some rogue person in a public WiFi can redirect your traffic easily. So, do not connect to untrusted hotspot in public area. Well, unless you know what you are doing.

Rizky Maulana Nugraha

Written by Rizky Maulana Nugraha
Software Developer. Currently remotely working from Indonesia.
Twitter FollowGitHub followers